Hacking Oracle Data Redaction

Last month Oracle ACE Director Oded Raz published an article about Data Redaction. This month, Oded will explain some of the vulnerabilities of data redaction and how to “hack it”. I would like to thank Oded for his contribution and invite him to publish more things in the future.

On my last article, I have introduced you the new oracle security feature – Data Redaction, selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. Although I welcome this feature and think it’s a much-needed addition to Oracle database security features it has some limitations that you need to be aware of before using it to protect sensitive data.

Read more

Fine-Grained Audit and ORA-28134 Error

I have been working on a customer database hardening. Database security isn’t really my cup of tea but it seems to be very popular these days. One of the requirement from the customer was the ability to monitor the database operation (which is very easy with the simple Oracle Audit features).

After we did that, the customer needed another auditing. He has sensitive data in one of the tables and he wanted some kind of auditing of the table access. This is one of the more central of his application so he asked the application should be excluded from the monitoring.

My first thought was to use the simple auditing for that but a short research showed that once an object is being monitored, there is no exclude feature to it. Another solution that came to mind is to use the ancient Fine-grained audit (DBMS_FGA). I know I’m coming a bit late to the party, and I know Oracle 12c has new and exciting ways of auditing but the customer was using Oracle and is not planning on upgrading soon.

Read more

Oracle Data Redaction

Here is a real treat: my good friend and colleague, Oracle ACE Director Oded Raz has agreed to publish couple of his high-end content about database security in my blog.
This time, Oded tells us about Data Redaction.

Sensitive data is everywhere in our organization’s systems. Today, organizations are required to protect sensitive data; these requirements come from regulations, laws and the necessity of the organization to protect its own data and customer’s information from falling to the wrong hands.

Data masking can dynamically or statically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases, understanding the difference between Static Data Masking – SDM and Dynamic Data Masking – DDM is crucial for implementing the right solution for each situation.
Read more